Verify Semgrep Rule in SARIF
Type: Rule
ID: sarif-semgrep-report
Source: v2/rules/sarif/verify-semgrep-report.yaml
Rego Source: verify-semgrep-report.rego
Labels: SARIF, Semgrep
Verify the Semgrep SARIF report complies with predefined rules to ensure compliance and detect issues.
This rule requires SARIF Evidence. See here for more details.
Signed Evidence for this rule IS NOT required by default but is recommended.
Rule requires evaluation with a target. Without one, it will be disabled unless the --all-evidence flag is provided.
Usage example
uses: sarif/verify-semgrep-report@v2
Mitigation
Ensures that any violations detected in the SARIF report produced by Semgrep are promptly identified and flagged, helping to prevent the use of assets that do not meet the required security standards.
Description
This rule evaluates the SARIF report generated by Semgrep to verify that it complies with a set of predefined compliance rules.
It iterates over the vulnerability results in the SARIF report (located under
input.evidence.predicate.content.runs[0].results) and retrieves the corresponding rule definitions
from input.evidence.predicate.content.runs[0].tool.driver.rules based on each result's ruleIndex.
The rule checks whether the result’s ruleId contains any of the identifiers specified in the configuration (with.rule_ids).
If the total number of matching findings exceeds the allowed threshold (specified by with.violations_threshold), a violation is recorded.
Each violation includes details such as the rule identifier, the extracted severity, and the location of the finding.
Evidence Requirements
- Evidence must be provided in a generic format conforming to the SARIF 2.1.0 schema.
- The SARIF report should be generated by Semgrep.
- The report must include detailed rule definitions and descriptions that support matching against the specified blocklist.
Evidence Requirements
| Field | Value |
|---|---|
| signed | False |
| content_body_type | generic |
| target_type | data |
| predicate_type | http://docs.oasis-open.org/sarif/sarif/2.1.0 |
Input Definitions
| Parameter | Type | Required | Description |
|---|---|---|---|
| rule_level | array | False | List of rule levels to check for in the SARIF report. |
| precision | array | False | List of precision levels to check for in the SARIF report. |
| rule_ids | array | False | List of rule IDs to check for in the SARIF report. |
| ignore | array | False | List of rule IDs to ignore in the SARIF report. |
| max_allowed | integer | False | The maximum number of allowed violations. |